I would like if anyone knows a way to retrieve the lockout location of a user. Is the best way to do that is to read the eventlog from the domain and extract the location from the security event or is there an alternative?
I have a program to check on all user in AD if locked it will tell me. I would like to add in the place of the lockout.
public void CheckLockedAccounts(PrincipalContext context) { Console.WriteLine("\nLocked user accounts:"); try { PrincipalSearcher searcher = new PrincipalSearcher(new UserPrincipal(context) { Enabled = true }); // Creating the search object bool isAnyLocked = false; foreach (var result in searcher.FindAll()) // Look through what is in the user search object { UserPrincipal user = result as UserPrincipal; if(!user.IsAccountLockedOut() || user == null) { continue; } if (user != null && user.IsAccountLockedOut()) // Print out all locked users { DirectoryEntry directoryEntry = (user.GetUnderlyingObject() as DirectoryEntry); DateTime? lockoutTime = null; string workstationName = "N/A"; // TODO - DONE Fix grabbing time lock out for users. if (directoryEntry.Properties.Contains("lockoutTime")) { object lockOutValue = directoryEntry.Properties["lockoutTime"].Value; // grab time of lockout if (lockOutValue != null) { long lockoutTicks = 0; try { var highPart = (int)lockOutValue.GetType().InvokeMember("HighPart", System.Reflection.BindingFlags.GetProperty, null, lockOutValue, null); // deal with COM object to get high and low parts of the lockout time var lowPart = (int)lockOutValue.GetType().InvokeMember("LowPart", System.Reflection.BindingFlags.GetProperty, null, lockOutValue, null); lockoutTicks = ((long)highPart << 32) + (uint)lowPart; } catch (Exception ex) { Console.WriteLine($"Error reading lockoutTime COM object for {user.SamAccountName}: {ex.Message}"); } if (lockoutTicks > 0) { lockoutTime = DateTime.FromFileTimeUtc(lockoutTicks).ToLocalTime(); } } Console.WriteLine($"\t[{lockoutTime?.ToString("MM-dd-yyyy HH:mm:ss tt")}] - {user.SamAccountName} - Workstation: {workstationName}".Pastel(Color.Crimson)); } isAnyLocked = true; }// end of if-statement }// end of foreach if (!isAnyLocked) { Console.WriteLine($"\tNo accounts are LOCKED!!! YAY!!!.".Pastel(Color.RoyalBlue)); }// end of if-statement }// end of try-catch catch (Exception ex) { Console.WriteLine($"Error: {ex.Message}".Pastel(Color.IndianRed)); }// end of catch }// end of CheckLockedAccounts
- 1What makes you think that Location is something that the system can know? Do you expect to find e.g. "USA" or "New York City USA" or "room 123 on 4th floor of Trump Tower New York City USA?"Peter B– Peter B2025-10-23 20:48:10 +00:00CommentedOct 23 at 20:48
- If it's the machine name you want, and you are OK with using the event log you can dolearn.microsoft.com/en-us/previous-versions/windows/it-pro/… be aware that you need to check all DCs as you don't know which one locked it out. I don't believe this info is stored anywhere else.Charlieface– Charlieface2025-10-24 00:02:21 +00:00CommentedOct 24 at 0:02
- @PeterB: It usually knows the machine that sent the last auth request that caused the account to enter lockout, and if the directory isn't a single bag of accounts in CN=Computers, then the computer's account should describe its location accurately.grawity– grawity2025-10-24 05:54:46 +00:00CommentedOct 24 at 5:54
Related questions
Related questions